From bcdb5973e538419d5695419a3912129a75e6cc87 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 04 2010 20:33:57 +0000 Subject: - Fixes for cluster policy --- diff --git a/modules-mls.conf b/modules-mls.conf index 94c1969..b9a8218 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -233,6 +233,13 @@ cipe = module comsat = module # Layer: services +# Module: corosync +# +# Corosync Cluster Engine Executive +# +corosync = module + +# Layer: services # Module: clamav # # ClamAV Virus Scanner diff --git a/policy-20100106.patch b/policy-20100106.patch index 29b927b..46b1d41 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -2328,7 +2328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.6.32/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-01-18 18:24:22.871540122 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-04 18:32:00.142100552 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rgmanager.te 2010-02-04 21:16:05.525935129 +0100 @@ -22,6 +22,9 @@ type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) @@ -2350,15 +2350,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # log files manage_files_pattern(rgmanager_t, rgmanager_var_log_t,rgmanager_var_log_t) logging_log_filetrans(rgmanager_t,rgmanager_var_log_t,{ file }) -@@ -61,6 +68,7 @@ +@@ -60,9 +67,6 @@ + manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file }) - aisexec_stream_connect(rgmanager_t) -+corosync_stream_connect(rgmanager_t) - groupd_stream_connect(rgmanager_t) - +-aisexec_stream_connect(rgmanager_t) +-groupd_stream_connect(rgmanager_t) +- corecmd_exec_bin(rgmanager_t) -@@ -74,7 +82,8 @@ + corecmd_exec_sbin(rgmanager_t) + corecmd_exec_shell(rgmanager_t) +@@ -74,7 +78,8 @@ fs_getattr_xattr_fs(rgmanager_t) # need to write to /dev/misc/dlm-control @@ -2368,6 +2370,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_search_sysfs(rgmanager_t) domain_read_all_domains_state(rgmanager_t) +@@ -109,6 +114,11 @@ + ') + + # rgmanager can run resource scripts ++optional_policy(` ++ aisexec_stream_connect(rgmanager_t) ++ corosync_stream_connect(rgmanager_t) ++ groupd_stream_connect(rgmanager_t) ++') + + optional_policy(` + apache_domtrans(rgmanager_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.6.32/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-01-18 18:24:22.872542275 +0100 +++ serefpolicy-3.6.32/policy/modules/services/rhcs.fc 2010-02-04 14:38:28.643078705 +0100 @@ -2397,13 +2411,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-04 18:42:27.090100886 +0100 -@@ -128,10 +128,12 @@ ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-02-04 21:25:24.804186866 +0100 +@@ -126,12 +126,11 @@ + files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file }) + stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) - aisexec_stream_connect(dlm_controld_t) - ccs_stream_connect(dlm_controld_t) -+corosync_stream_connect(dlm_controld_t) - groupd_stream_connect(dlm_controld_t) +-aisexec_stream_connect(dlm_controld_t) +-ccs_stream_connect(dlm_controld_t) +-groupd_stream_connect(dlm_controld_t) ++stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) kernel_read_system_state(dlm_controld_t) @@ -2411,12 +2427,52 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_sysfs(dlm_controld_t) fs_manage_configfs_files(dlm_controld_t) -@@ -258,14 +260,16 @@ +@@ -146,6 +145,12 @@ + + miscfiles_read_localization(dlm_controld_t) + ++optional_policy(` ++ aisexec_stream_connect(dlm_controld_t) ++ ccs_stream_connect(dlm_controld_t) ++ corosync_stream_connect(dlm_controld_t) ++') ++ + ####################################### + # + # fenced local policy +@@ -183,8 +188,6 @@ + files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file }) + + stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +-aisexec_stream_connect(fenced_t) +-ccs_stream_connect(fenced_t) + + corecmd_exec_bin(fenced_t) - aisexec_stream_connect(gfs_controld_t) - ccs_stream_connect(gfs_controld_t) -+corosync_stream_connect(gfs_controld_t) - groupd_stream_connect(gfs_controld_t) +@@ -214,9 +217,11 @@ + + optional_policy(` + ccs_read_config(fenced_t) ++ ccs_stream_connect(fenced_t) + ') + + optional_policy(` ++ aisexec_stream_connect(fenced_t) + corosync_stream_connect(fenced_t) + ') + +@@ -253,19 +258,17 @@ + manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t) + files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file }) + +-stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) + stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) +- +-aisexec_stream_connect(gfs_controld_t) +-ccs_stream_connect(gfs_controld_t) +-groupd_stream_connect(gfs_controld_t) ++stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) ++stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) kernel_read_system_state(gfs_controld_t) @@ -2430,6 +2486,61 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_sysfs(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) +@@ -278,6 +281,12 @@ + miscfiles_read_localization(gfs_controld_t) + + optional_policy(` ++ aisexec_stream_connect(gfs_controld_t) ++ ccs_stream_connect(gfs_controld_t) ++ corosync_stream_connect(gfs_controld_t) ++') ++ ++optional_policy(` + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) + ') +@@ -309,8 +318,6 @@ + manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t) + files_pid_filetrans(groupd_t, groupd_var_run_t, { file }) + +-aisexec_stream_connect(groupd_t) +- + dev_list_sysfs(groupd_t) + + files_read_etc_files(groupd_t) +@@ -326,6 +333,10 @@ + + logging_send_syslog_msg(groupd_t) + ++optional_policy(` ++ aisexec_stream_connect(groupd_t) ++') ++ + ###################################### + # + # qdiskd local policy +@@ -359,9 +370,6 @@ + manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t) + files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file }) + +-aisexec_stream_connect(qdiskd_t) +-ccs_stream_connect(qdiskd_t) +- + corecmd_getattr_sbin_files(qdiskd_t) + corecmd_exec_shell(qdiskd_t) + +@@ -399,6 +407,11 @@ + miscfiles_read_localization(qdiskd_t) + + optional_policy(` ++ aisexec_stream_connect(qdiskd_t) ++ ccs_stream_connect(qdiskd_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(qdiskd_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 +++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-02-01 20:42:31.450160322 +0100